[rsbac] Restricting only one program

SamuliKärkkäinen skarkkai at woods.iki.fi
Thu Sep 4 06:19:30 MEST 2003


My goal in using RSBAC is to make those services that are visible to the
network, apache in particular, more resilient toward the buffer overflow
type attacks. I want to set up a configuration where apache is allowed to...

- map_exec libraries
- read but not write htdocs and certain system file like locales
- write to logs

And is not allowed to do nothing else. (I'm skipping some details.) I don't
want this configuration to have any effect on the rest of the system.

I've looked and tried configuring several RSBAC modules, and my impression
so far that none of them quite provide what I want. The RC module comes
close, but it has one problem. Let's say files that apache is allowed to
map_exec has type apache_libs. When I assign a library file to the
apache_libs type, it's no longer in the General_FD type. Hence, I must
ensure that the General_User role has proper rights to the apache_libs type.
This breaks the requirement "configuration shouldn't have any effect on the
rest of the system". This problem is easy to ignore when there are only a
few roles and types, but when there are a lot of them, it's hard to feel
confident General_FD still has the correct rights to all the types.

The ACL module seems to have a little difficult approach as well. If I have
understood correctly, all users always belong to the GROUP_0. Hence they
have all rights, unless I remove rights from GROUP_0. If I remove rights
from GROUP_0, all users in the system are affected. This makes it hard to
limit the scope of configuration to affect only one service.

The AUTH module by default allows nothing. I haven't found a way to make it
default to allowing everything, while allowing limiting rights of only
selected programs. Again, this makes it hard to create configuration whose
scope is limited to only apache and a few other programs.

But maybe I've missed something, and someone is willing to tell me how to
create a neat configuration suitable for my purposes?

-- 
  Samuli Kärkkäinen                   |\      _,,,---,,_
 skarkkai at woods.iki.fi ---------ZZZzz /,`.-'`'    -.  ;-;;,_------
http://www.woods.iki.fi              |,4-  ) )-,_. ,\ (  `'-'
                                     '---''(_/--'  `-'\_)


More information about the rsbac mailing list